.. _version_history_1.32.0:

1.32.0 (Pending)
=================




Incompatible behavior changes
-----------------------------

*Changes that are expected to cause an incompatibility if applicable; deployment changes are likely required*



* **eds**: Enabling caching caching of EDS assignments when used with ADS by default (introduced in Envoy v1.28).
  Prior to this change, Envoy required that EDS assignments were sent after an EDS cluster was updated.
  If no EDS assignment was received for the cluster, it ended up with an empty assignment.
  Following this change, after a cluster update, Envoy waits for an EDS assignment until
  :ref:`initial_fetch_timeout <envoy_v3_api_field_config.core.v3.ConfigSource.initial_fetch_timeout>` times out, and will then apply
  the cached assignment and finish updating the warmed cluster. This change temporarily disabled by setting
  the runtime flag ``envoy.restart_features.use_eds_cache_for_ads`` to ``false``.
* **golang**: Change ``OnLogDownstreamStart``, ``OnLogDownstreamPeriodic`` and ``OnLog`` methods so that user can get the request/response's
  headers and trailers when producing access log.
* **http**: Added HTTP1-safe option for :ref:`max_connection_duration
  <envoy_v3_api_field_config.core.v3.HttpProtocolOptions.max_connection_duration>` in
  HttpConnectionManager. When enabled, ``max_connection_duration`` will only drain downstream
  HTTP1 connections by adding the Connection:close response header; it will never cause the
  HttpConnectionManager to close the connection itself.  Defaults to off ("unsafe" -- check
  \#34356) and is configurable via :ref:`http1_safe_max_connection_duration
  <envoy_v3_api_field_extensions.filters.network.http_connection_manager.v3.HttpConnectionManager.http1_safe_max_connection_duration>`.
* **stats scoped_rds**: Added new tag extraction so that scoped rds stats have their :ref:'scope_route_config_name
  <envoy_v3_api_msg_config/route/v3/scoped_route>' and stat prefix extracted.
* **tracing**: Removed support for (long deprecated) opentracing.  See `issue 27401
  <https://github.com/envoyproxy/envoy/issues/27401>`_ for details.



Minor behavior changes
----------------------

*Changes that may cause incompatibilities for some users, but should not for most*



* **command line options**: :option:`--enable-fine-grain-logging` and :option:`--component-log-level` were incompatible in that one
  would make the other ineffective. Setting both options at once is now an error, to reduce potential confusion.
* **http3**: HTTP/3 alt-svc headers will now be respected from IP-address-based hostnames. This change is
  guarded by runtime guard ``envoy.reloadable_features.allow_alt_svc_for_ips``.
* **http3**: The ACCEPT_UNTRUSTED option now works more consistently for HTTP/3 requests. This change is
  guarded by ``envoy.reloadable_features.extend_h3_accept_untrusted``.
* **lua**: When Lua script executes httpCall, backpressure is exercised when receiving body from downstream client. This behavior can be reverted
  by setting the runtime guard ``envoy.reloadable_features.lua_flow_control_while_http_call`` to false.
* **sni**: When computing SNI and SAN value for the auto-sni and auto-san verification feature,
  route host manipulations are now taken into account. This behavior can be reverted
  by setting the runtime guard ``envoy_reloadable_features_use_route_host_mutation_for_auto_sni_san`` to false.
* **tcp**: Added support for :ref:`connection_pool_per_downstream_connection
  <envoy_v3_api_field_config.cluster.v3.Cluster.connection_pool_per_downstream_connection>` flag in tcp connection pool.



Bug fixes
---------

*Changes expected to improve the state of the world and are unlikely to have negative effects*



* **c-ares**: Applying a C-ares patch to fix DNS resoultion by the Google gRPC library.
* **dns**: The DNS filter no longer returns FORMERR if a message has an ID of 0.
* **ext_proc**: Add runtime guard for timeout error code 504 Gateway Timeout that is returned to downstream. If runtime flag
  ``envoy.reloadable_features.ext_proc_timeout_error`` is set to false, old error code 500 Internal Server Error will be returned.
* **quic**: Fixes access log formatter %CONNECTION_ID% for QUIC connections.
* **rbac**: RBAC will now allow stat prefixes configured in per-route config to override the base config's
  stat prefix.
* **websocket**: Fixed a bug where the websocket upgrade filter would not take into account per-filter configs.



Removed config or runtime
-------------------------

*Normally occurs at the end of the* :ref:`deprecation period <deprecated>`



* **DNS**: Removed ``envoy.reloadable_features.dns_cache_set_first_resolve_complete`` runtime flag and legacy code paths.
* **dynamic forward proxy**: Removed ``envoy.reloadable_features.normalize_host_for_preresolve_dfp_dns`` runtime flag and legacy code paths.
* **ext_proc**: Removed runtime flag ``envoy_reloadable_features_immediate_response_use_filter_mutation_rule`` and legacy code
  path.
* **ext_proc**: Removed runtime flag ``envoy_reloadable_features_send_header_raw_value`` and legacy code path.
* **grpc reverse bridge**: Removed ``envoy.reloadable_features.grpc_http1_reverse_bridge_change_http_status`` runtime flag
  and legacy code paths.
* **grpc reverse bridge**: Removed ``envoy.reloadable_features.grpc_http1_reverse_bridge_handle_empty_response`` runtime
  flag and legacy code paths.
* **http**: Removed runtime flag ``envoy.reloadable_features.abort_filter_chain_on_stream_reset`` and legacy
  code path.
* **http**: Removed runtime flag ``envoy.reloadable_features.http1_connection_close_header_in_redirect`` and
  legacy code paths.
* **http**: Removed runtime flag ``envoy.reloadable_features.no_downgrade_to_canonical_name`` and legacy code
  path.
* **quic**: Removed ``envoy.reloadable_features.quic_fix_filter_manager_uaf`` runtime flag and legacy code paths.
* **stateful_session**: Removed ``envoy.reloadable_features.stateful_session_encode_ttl_in_cookie`` runtime flag and legacy code paths.
* **tls**: Removed runtime flag ``envoy.reloadable_features.ssl_transport_failure_reason_format``.
* **udp**: Removed ``envoy.restart_features.udp_read_normalize_addresses`` runtime flag and legacy code paths.
* **upstream**: Removed runtime flag ``envoy.reloadable_features.avoid_zombie_streams`` and legacy code paths.
* **upstream**: Removed runtime flag ``envoy.reloadable_features.upstream_allow_connect_with_2xx`` and legacy code paths.
* **upstream flow control**: Removed ``envoy.reloadable_features.upstream_wait_for_response_headers_before_disabling_read`` runtime flag
  and legacy code paths.



New features
------------


* **access log**: Added support for :ref:`%DOWNSTREAM_PEER_CHAIN_FINGERPRINTS_1% <config_access_log_format_response_flags>`,
  ``%DOWNSTREAM_PEER_CHAIN_FINGERPRINTS_256``, and ``%DOWNSTREAM_PEER_CHAIN_SERIALS%``, as access log formatters.
* **access_log**: Added new access log command operators ``%START_TIME_LOCAL%`` and ``%EMIT_TIME_LOCAL%``,
  similar to  ``%START_TIME%`` and ``%EMIT_TIME%``, but use local time zone.
* **access_log**: added %UPSTREAM_CLUSTER_RAW% access log formatter to log the original upstream cluster name, regardless of whether
  ``alt_stat_name`` is set.
* **dns**: Prefer using IPv6 address when addresses from both families are available.
  Can be reverted by setting ``envoy.reloadable_features.prefer_ipv6_dns_on_macos`` to false.
* **ext_authz**: Added config field
  :ref:`filter_metadata <envoy_v3_api_field_extensions.filters.http.ext_authz.v3.ExtAuthz.filter_metadata>`
  for injecting arbitrary data to the filter state for logging.
* **formatter**: Added full feature absl::FormatTime() support to the DateFormatter. This allows the timepoint formatters (like
  ``%START_TIME%``) to use ``%E#S``, ``%E*S``, ``%E#f`` and ``%E*f`` to format the subsecond part of the timepoint.
* **grpc_field_extraction**: Added ``map<string, string>`` support: Target fields of type ``map<string, string>`` can be extracted and added to dynamic metadata.
* **http_11_proxy**: Added the option to configure the transport socket via locality or endpoint metadata.
* **jwt_authn**: Added missing implementation to jwt_authn matchers to allow glob pattern matching.
* **matching**: Added dynamic metadata matcher support :ref:`Dynamic metadata input <extension_envoy.matching.inputs.dynamic_metadata>`
  and :ref:`Dynamic metadata input matcher <extension_envoy.matching.matchers.metadata_matcher>`.
* **ratelimit**: Added the ability to modify :ref:`hits_addend <envoy_v3_api_field_service.ratelimit.v3.RateLimitRequest.hits_addend>`
  by setting by setting filter state value ``envoy.ratelimit.hits_addend`` to the desired value.
* **rbac**: Added :ref:`delay_deny <envoy_v3_api_msg_extensions.filters.network.rbac.v3.RBAC>` to support deny connection after
  the configured duration.
* **redis**: Added support for publish.
* **sockets**: Added socket ``type`` field for specifying a socket type to apply the socket option to under :ref:`SocketOption
  <envoy_v3_api_msg_config.core.v3.SocketOption>`. If not specified, the socket option will be applied to all socket
  types.
* **tls**: Added :ref:`prefer_client_ciphers
  <envoy_v3_api_field_extensions.transport_sockets.tls.v3.DownstreamTlsContext.prefer_client_ciphers>`
  to support enabling client cipher preference instead of server's for TLS handshakes.
* **tls**: Added an extension point :ref:`custom_tls_certificate_selector
  <envoy_v3_api_field_extensions.transport_sockets.tls.v3.CommonTlsContext.custom_tls_certificate_selector>`
  to allow overriding TLS certificate selection behavior.
  An extension can select certificate base on the incoming SNI, in both sync and async mode.